HomeMalware & ThreatsSharePoint RCE CVE-2026-45659 Added to CISA KEV Following Active Exploitation

SharePoint RCE CVE-2026-45659 Added to CISA KEV Following Active Exploitation

Published on

spot_img

On Wednesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a significant alert regarding a high-severity vulnerability affecting Microsoft SharePoint Server, which has now been included in its Known Exploited Vulnerabilities (KEV) catalog. This decision stems from evidence indicating the active exploitation of this flaw, identified as CVE-2026-45659, with a notably high CVSS score of 8.8. The vulnerability poses a serious threat due to its nature as a remote code execution issue arising from the deserialization of untrusted data.

Microsoft initially addressed this vulnerability in May 2026, providing patches for several versions of SharePoint, including SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. The critical detail highlighted by Microsoft is that any authenticated user can exploit this flaw, which does not require administrative or elevated privileges for activation. This means that a user with basic Site Member permissions could execute remote code on the SharePoint Server, raising concerns about the potential impact of this vulnerability.

CISA publicly acknowledged the severity of the situation, stating that Microsoft SharePoint Server contains vulnerabilities allowing authorized attackers to execute code over a network. As the threat landscape evolves, Microsoft’s advisory categorized this particular flaw with an “Exploitation Less Likely” tag. However, it remains unclear how the vulnerability is currently being exploited, the identity of those responsible, or the ultimate goals of these cybercriminal efforts.

In response to this heightened risk, CISA is advising all Federal Civilian Executive Branch (FCEB) agencies to implement the necessary patches by July 4, 2026, to safeguard their systems against potential breaches linked to this vulnerability.

The alarming developments extend beyond just this individual vulnerability. Late last month, Microsoft unveiled findings from an investigation into ransomware activities that revealed the existence of two separate attackers operating in parallel within the same network. This dual threat scenario has complicated incident response efforts, as both sets of attackers employed nuanced techniques to maintain access and obfuscate their activities.

One threat actor group, identified as Storm-2603, is known for deploying Warlock ransomware, particularly by exploiting vulnerabilities in on-premises SharePoint servers since mid-2025. Microsoft indicated that the initial access for these attackers likely occurred through a separate vulnerability, showcasing probing efforts that sought files such as win.ini and web.config—a common tactic used for local file inclusion exploits. The investigation pointed to CVE-2025-11371—a critical vulnerability with a CVSS score of 9.1—affecting Gladinet Triofox as a likely entry point.

Once inside the network, the attackers allegedly used tools such as Velociraptor to blend their malicious activity with legitimate administrative processes. They further established multiple remote access methods via Cloudflare tunneling, Zoho Assist, and Secure Shell (SSH) connections configured through Visual Studio Code. The threats escalated as the actors created new local and domain administrator accounts, exploiting a vulnerable driver named “NSecKrnl.sys” that allowed them to manipulate endpoint security measures, thereby diminishing the chances of detection.

Meanwhile, additional investigations uncovered a second, unrelated threat actor also present in the same environment. This actor employed DLL side-loading and custom backdoors, further complicating attribution and response efforts. Intriguingly, evidence suggested that this second group had also moved laterally from the initial network to another organization, corroborating reports of ransomware activity attributed to Storm-2603.

The findings highlight a concerning trend: overlapping activities among different threat actors can enable sustained access while obscuring the full extent of an intrusion. Microsoft’s Incident Response team emphasized that seemingly isolated ransomware incidents could expand into complex scenarios involving multiple organizations and actors, often leading to a blend of tactics that complicate the detection effort.

The implication for cybersecurity teams is profound—isolated signals rarely provide a complete picture of the threat landscape, underscoring the importance of a comprehensive and proactive approach to cybersecurity. Organizations must remain vigilant, continuously monitoring their systems for signs of these increasingly sophisticated cyberattack strategies.

Source link

Latest articles

Four Major Breaches in Japan Share a Common Entry Point

In late June 2026, four major Japanese corporations—Aflac Japan, KDDI, Sapporo Holdings, and Nidec—reported...

Anthropic Introduces Cyber Jailbreak Severity Framework for Claude Fable 5 Safeguards

Anthropic Unveils Cybersecurity Enhancements for Claude Fable 5 Model In a significant development in the...

Opera Introduces Paste Protect to Combat ClickFix

Opera Launches "Paste Protect" Feature to Combat ClickFix Attacks In a strategic move to bolster...

More like this

Four Major Breaches in Japan Share a Common Entry Point

In late June 2026, four major Japanese corporations—Aflac Japan, KDDI, Sapporo Holdings, and Nidec—reported...

Anthropic Introduces Cyber Jailbreak Severity Framework for Claude Fable 5 Safeguards

Anthropic Unveils Cybersecurity Enhancements for Claude Fable 5 Model In a significant development in the...